Fix for hotels’ electronic door lock hack slow to roll out

Manufacturer now says it will cover most costs to replace all 4 million locks.

Electronic lock manufacturer Onity has finally agreed to reimburse its customers—major hotel chains like Marriott, Hyatt, and InterContinental (IHG)—for some of the costs of replacing its hackable locks.

Back in July, a security researcher exposed the fact that Onity locks (in use on around 4 million hotel rooms worldwide) could be disabled in a matter of seconds using a custom-designed kit that cost about $50. The company acknowledged the flaw but did not offer much in the way of a response until November.

Last month, following the theft of a laptop from a Texas hotel room using this hardware hack, the company began instituting a temporary hardware fix by physically blocking access to the ports with epoxy, and more recently, with a plastic plug and “security screws.”

Now, Forbes, which has been following this story for months, reports in a new corporate memo that the company has come to agreements with its hotel customers but has been less than forthright as to who will pay for these fixes.

“Just how much of the fix Onity is paying for in each customer’s case seems to vary,” Forbes reporter Andy Greenberg wrote on Thursday. “Though Onity seems to be offering the full price of the hardware fix for returned circuit boards from IHG and Marriott, the Hyatt memo states that Onity would charge $11 for every new circuit board it installed and repay only $6 for the replaced ones. It also mentions a $10 charge per lock for on-site firmware upgrades, as opposed to the free firmware upgrades in the other two deals.”

Greenberg published one of the internal corporate memos between Onity and Marriott-managed and franchised hotels, which Onity declined to confirm or deny was authentic.

When Ars contacted Onity for comment, Suzanne Fritz, a company spokesperson returned essentially the same canned statement that she gave to Forbes, which makes no mention of a permanent, technical replacement to the vulnerable locks.

“As of November 30, 2012, Onity has shipped 1.4 million solutions for locks to hotel properties,” she said by e-mail. “Over the next several weeks, we will ensure all hotel properties in our database receive the mechanical solution. These mechanical caps and security screws block physical access to the lock ports that hackers use to illegally break into hotel rooms. The mechanical solution remains free of charge to customers.”

Cyrus Farivar
Cyrus is the Senior Business Editor at Ars Technica, and is also a radio producer and author. His latest book, Habeas Data, about the legal cases over the last 50 years that have had an outsized impact on surveillance and privacy law in America, is due out in May 2018 from Melville House. Emailcyrus.farivar@arstechnica.com//Twitter@cfarivar

Wow, they're only willing to cover half? That's crappy. A lock is implied to do it's job and not be easily circumvented. They made a faulty product, and should fix them all if they expect anyone to continue using their products.

Maybe, if there's a company left after this debacle, they'll come up w/ a firmware upgradeable board instead of having to replace them on every individual lock.

It's an interesting question: when a lock fails, who should pay the bill? Are Onity's contracts written with security guarantees? If not, no one should be surprised that they want to charge for the fix. Of course it's probably in their best interest to make sure they fix everything, otherwise they'll never sell another lock. So what are the hotels actually buying: a piece of hardware, or a security guarantee?

It's an interesting question: when a lock fails, who should pay the bill? Are Onity's contracts written with security guarantees? If not, no one should be surprised that they want to charge for the fix. Of course it's probably in their best interest to make sure they fix everything, otherwise they'll never sell another lock. So what are the hotels actually buying: a piece of hardware, or a security guarantee?

It's not a matter of a "guarantee". This happened because the manufacturer depended on "security through obscurity", the biggest security no-no. And this is a, er, security company, so that's inexcusable negligence.

It's an interesting question: when a lock fails, who should pay the bill? Are Onity's contracts written with security guarantees? If not, no one should be surprised that they want to charge for the fix. Of course it's probably in their best interest to make sure they fix everything, otherwise they'll never sell another lock. So what are the hotels actually buying: a piece of hardware, or a security guarantee?

It's not a matter of a "guarantee". This happened because the manufacturer depended on "security through obscurity", the biggest security no-no. And this is a, er, security company, so that's inexcusable negligence.

No lock can really guarantee that it wont be picked by someone with the right tools and skills. I don't think electronic locks are any different. If one angle of attack fails for hackers, they'll just keep trying different things until they find something they can exploit, if they feel its worth the effort.

If somebody is determined enough to spend $50 to hack these locks, they're not going to be deterred by "security" screws that will cost even less to get around. A nice security bit set doesn't cost all that much.

I wonder why Hyatt ended up with a deal that's so much worse than IHG and Marriott's deal. Did they have crappy old versions of the locks which justified them paying a bit themselves for the upgrades, or did they just have really crappy negotiators when talking to Onity?

No lock can really guarantee that it wont be picked by someone with the right tools and skills. I don't think electronic locks are any different. If one angle of attack fails for hackers, they'll just keep trying different things until they find something they can exploit, if they feel its worth the effort.

This is an important point: most locks can be "hacked" with two pieces of meta land 30 minutes of practice, and no one would expect a lock company to replace all of the locks in an apartment complex because they can be picked.

And this is also not like hacking a server and downloading a lot of personal information: it's not like you can use the lock hack to remotely download the contents of all of the rooms at a Marriott. The criminal still has to buy the parts, create the device, go to the hotel, and break into the rooms, and steal the property.

Having said that, though, once someone has implemented the hack, it looks to go a lot faster than picking a lock, which makes it much easier to do. And, probably more importantly, there has been a lot of publicity.

(Also, there is potentially huge legal liability for the hotel chains if they know that they don't have secure locks and fail to replace them. The liability would not be for thefts (that's minimal), but for a case where someone broke into a room and raped/attacked/killed a hotel guest.)

No lock can really guarantee that it wont be picked by someone with the right tools and skills. I don't think electronic locks are any different. If one angle of attack fails for hackers, they'll just keep trying different things until they find something they can exploit, if they feel its worth the effort.

This is an important point: most locks can be "hacked" with two pieces of meta land 30 minutes of practice, and no one would expect a lock company to replace all of the locks in an apartment complex because they can be picked.

And this is also not like hacking a server and downloading a lot of personal information: it's not like you can use the lock hack to remotely download the contents of all of the rooms at a Marriott. The criminal still has to buy the parts, create the device, go to the hotel, and break into the rooms, and steal the property.

Having said that, though, once someone has implemented the hack, it looks to go a lot faster than picking a lock, which makes it much easier to do. And, probably more importantly, there has been a lot of publicity.

(Also, there is potentially huge legal liability for the hotel chains if they know that they don't have secure locks and fail to replace them. The liability would not be for thefts (that's minimal), but for a case where someone broke into a room and raped/attacked/killed a hotel guest.)

Probably before the time of most Ars readers, but the rape scenario you suggested happened to Connie Francis. She sued the hotel and collected $2.5 million in 1974.

I think the big issue here is why they would expose the board's innards to the outside world in the first place. I can understand how useful an external port would be for programming and production, but why on earth would that be something they would allow access to on the devices they ship? I guess it might not have been as easy to see when these devices were produced, but I'm still baffled that there was that great of a need for an external communication port on these devices. I can't understand how they didn't see how huge of a vulnerability that was.

The amount computing power you can carry around with you in a handheld device has never been greater. With all the stories about infrastructure/powergrid back doors and default accounts being compromised, it's hard to believe anyone okayed allowing anyone access to connect to their device's sensitive electronics. The amount of time to crack and bruteforce access has never been lower, and it keeps getting lower as devices get more powerful and people learn more ingenious ways to crack passwords and perform hashes.

I agree that the company should provide a fix, but I don't think it should be replacing the board.. I think they should merely provide a new outer casing or cowl WITHOUT a comm port on it. That would solve the issue immediately.

There's a saying in the hotel business: "We're not pioneers, because pioneers were shot in the back with arrows". We're not a money business, nor a tech business, which means we are always about 10 years behind on tech trends. We got destroyed during the SEO boom, and we bungled our wireless installs, etc.... and the pace of tech moves so fast, it's such that we can't keep up with them, nor afford the infrastructural changes and associated costs. It's why we allowed hospitals and dormitories to pioneer capital projects, so they could fail and learn, and we simply took those lessons they learned with trememdnous associated costs and copied them. That isn't practical anymore, and it means we put ourselves in a precarious place for our guests - not cultivating the guest experience with up to date and expected amenities (like bandwidth). But that is changing, and we're getting smarter.

Smarter such that we are all very curious about the presumption Onity has that we should be paying for *ANY* of this. A previous commentator suggested that, if the brands push back a bit more, Onity won't have a choice but to pony up for the problem that is 100% of their making. Not being tech people, we partner with vendors that are smart enough to hold our hand, and protect us from our own ignorance - helping us answer the questions we don't know to ask. The idea that we should know about a security flaw prior to purchasing their product, and that we would have to be accountable to that same flaw, is absurd. Hotels shouldn't be paying a cent for this fix, and whether it hobbles Onity as a business is irrelevent to me - the free market is such that a business is accountable, and learns lessons, from operational experience. If they aren't transparent and accountable to their mistakes, or choose not to learn their lessons and pass on the cost to their clients - the free market allows me to establish stronger, more self aware relationships, with Tesa / Vingcard or Saflok. I have purchased countless Onity locks for properties, and there are always more doors. I would hate to think that their botched public relations with this obviously panicked, and confused, response, would destabilize our long time relationship to the point of ending it.